Authors: Hsien-cheng Chou, Fei-pei Lai, Hung-chang Lee

Abstract:

At present, dictionary attack has been the basic tool for recovering key passwords. In order to avoid dictionary attack, users purposely choose another character strings as passwords. According to statistics, about 14% of users choose keys on a keyboard (Kkey, for short) as passwords. This paper develops a framework system to attack the password chosen from Kkeys and analyzes its efficiency. Within this system, we build up keyboard rules using the adjacent and parallel relationship among Kkeys and then use these Kkey rules to generate password databases by depth-first search method. According to the experiment results, we find the key space of databases derived from these Kkey rules that could be far smaller than the password databases generated within brute-force attack, thus effectively narrowing down the scope of attack research. Taking one general Kkey rule, the combinations in all printable characters (94 types) with Kkey adjacent and parallel relationship, as an example, the derived key space is about 240 smaller than those in brute-force attack. In addition, we demonstrate the method's practicality and value by successfully cracking the access password to UNIX and PC using the password databases created

Keywords: Brute-force attack, dictionary attack, depth-firstsearch, password attack.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1084974

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 3434

References:

[1] Http://www.tech-faq.com/dictionary-attack.shtml.
[2] Password Cracking Wordlist. http: //www.openwall. com/wordlists/.
[3] Password Safe, http://passwordsafe. sourceforge.net/.
[4] Yahoo News. Favorite passwords: ÔÇÿÔÇÿ1234-- and ÔÇÿÔÇÿpassword--, http:// news. yahoo.com, Feb 2009.
[5] Alain Forget, Robert Biddle, Memorability of persuasive passwords, CHI '08 extended abstracts on Human factors in computing systems, April 05-10, 2008, Florence, Italy.
[6] Mohammad Mannan, P. C. van Oorschot, Digital objects as passwords, Proceedings of the 3rd conference on Hot topics in security, p.1-6, July 29, 2008, San Jose, CA.
[7] Lorrie Faith Cranor, A framework for reasoning about the human in the loop, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-15, April 14-14, 2008, San Francisco, California.
[8] Vrizlynn L. L. Thing, Hwei-Meng Ying, A novel time-memory tradeoff method for password recovery, June 2009.
[9] Project RainbowCrack website, http://project-rainbowcrack.com/.
[10] ElcomSoft password recovery tools, http://www.elcomsoft.com/.
[11] Password recovery software, http:// www.lostpassword.com/.
[12] Password recovery software, http:// www.wwwhack.com/.
[13] Lizuang, Feng Zhou, and J.D.Tygar, University of California, Berkeley, Keyboard Acoustic Emanations Revisited, ACM Transactions on Information and System Security, Vol. 13, No. 1, Article 3, October 2009.
[14] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford Stein, Introduction to Algorithm, 2nd Ed, 2001
[15] S. Russel and P. Norvig, Artificial Intelligence, a modern approach, 2nd Ed, 2006
[16] John the Ripper. Password cracker, http://www.openwall.com. LCPSoft. Lcpsoft programs, http://www.lcpsoft.com.
[17] Pwdump7 by Andres Tarasco Acuna, Windows NT family, up through XP or Vista. http://passwords.openwall.net/microsoft-windows-nt-2000-xp-2003-vist a.